Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Jeff McJunkin Profile picture
Jeff McJunkin
@jeffmcjunkin
Started in ops and blue, now I hack for a living. SANS author/instructor in Oregon. Founder: https://t.co/c36tmCG20T. He/him. @jeffmcjunkin@infosec.exchange
Mar 7 15 tweets 7 min read
Wow, this article was a fun rabbit hole:



In viewing , I then saw a reference to a scanned document named Chasebank_statement_feb.zip.

Inside, I found a simple LNK. What to?

🧵 (1/15)vin01.github.io/piptagole/secu…
urlscan.io
sites.google.com The LNK file pointed to the local copy of cmd.exe, of course!

(Amusingly abuse of LNK files to cmd.exe or powershell.exe is some of the latest material inside , but I digress)

What does that base64-encoded data come back to? Next up, CyberChef! sans.org/sec560
Image
Dec 27, 2020 14 tweets 5 min read
Here's a threat on some overpowered technologies to slow down attackers that you can implement _now_.

First, re-implement LAPS (microsoft.com/en-us/download…) at your peril.

1/14 Every time I've seen companies roll their own implementation, it's resulted in _any_ compromised workstation being able to retrieve _all_ local Administrator passwords.

Just use LAPS.

2/14
Dec 11, 2018 30 tweets 13 min read
Attending @_wald0 and @CptJesus's webcast now: register.gotowebinar.com/register/50128…. Live-tweeting as follows [1/n] Andy just gave props to MS Research: alicezheng.org/papers/sosp200…, @PyroTek3 (adsecurity.org), and @harmj0y (github.com/PowerShellMafi…). Great stuff! [2/n]